Pages

Thursday, October 3, 2013

Yahoo announces security exploit bounty with payments up to $15,000

Earlier this week, Yahoo was accused of using change in its sofa cushions
as compensation for reports of security exploits, but now the whole
ordeal has generated enough buzz to bring about change for the internet
pioneer. As it turns out, these small prizes (along with rewards such as
t-shirts) were paid for out of pocket by Ramses Martinez, the director
of Yahoo's security team, who took a moment today to explain the
company's new -- and far more lucrative -- bounty program. Moving
forward, Yahoo will reward security researchers with payments that range
between $150 and $15,000 for issues that it deems "new, unique and / or
high-risk."
The company is still in the early stages of hammering out a new
policy, but promises that payments will be determined "by a clear system
based on a set of defined elements that capture the severity of the
issue." Yes, these amounts still pale in comparison to the massive sums
that Microsoft recently offered, but researchers now have reasonable
incentive to inform Yahoo of the exploits, rather than sell them on the
black market. According to Martinez, Yahoo's revised policy will be
available by the end of the month, and as a nice gesture, its new reward
structure will retroactively apply to all bugs submitted from July 1st
onward.